Tag: family member

Benjamin Stassen, like most young adults in their early 20s, had a FaceBook account and many others that he used online. As with all social media websites and websites in general Benjamin has usernames and passwords that kept others from accessing his accounts. Like everyone else, every time he used FaceBook (and other sites) he had to ‘sign-in’ in order to get into his account, and into his online life.

When Benjamin Stassen suddenly committed suicide in 2010 his distraught parents, hoping to gain some insight into why their beloved son had taken his own life, looked to his FaceBook and other social accounts for answers. They needed access to what is termed his ‘digital legacy’. What they got instead was a wall, unknowingly put up by Benjamin himself and guarded by ‘user agreements’, that made it extremely difficult to do that. In fact, it was almost impossible and has set off a debate about what constitutes ‘privacy’ after a loved one is deceased.

The Stassens eventually persuaded Google to give them access to their son’s email (through a court order) and FaceBook, grudgingly, followed suit but the problems they faced, and the concerns that their fight brought up, have shed light on an area of the internet that is still legally murky; who should get access to someone’s digital legacy in the event of their death and how can this be made legally possible?

It’s an important question to be sure. Many people have digital legacies that are quite extensive and even quite valuable. For example, what if a person has digital music that they have purchased and stored online in the cloud? Who has the right to this, and how does that person access it? Information, like that the Stassen’s were looking for, is the same and in some instances may be very important.

In the United Kingdom a study termed ‘Dying in a Digital Age’ found that although 4 out of 5 people have digital assets less than 10% of them have given any thought to how they will pass on these assets after they themselves pass on. Bank accounts, ISAs and online collections of digital art and music all have username and password protection but still very little in the way of protection for surviving family members.

The debate has just started and will get much more heated as more and more people pas that have digital legacies and no digital ‘last will and testament’ to say who gets access. Hopefully someday, when a solution is found, the light that was shed on this problem will have meant that Benjamin Stassen’s death was not completely in vain.

By Jess Myra

ABSTRACT

This paper presents insights on designing interactions for digital immortality after bodily dying, and will deal with factors of interactions with the digital archive for those who stay alive.

Current instruments for digital memento and digital archive administration will not be supposed to perform for submit-life communications and don’t sufficiently take into account the longevity of content material, digital legacies, and relevancy of content material over time.

Conclusions and insights from graduate thesis analysis are offered right here to tell applicable interactions for digital immortality. It will embrace how cultural legacies of the previous can encourage digital legacies for the long run. Also, correlations will be included from a survey addressing mementos, digital legacies, digital will planning, digital archives, and the dying of family members.

Considerations

Results offered listed here are primarily based on interviews and a web-based survey. This survey had a complete of one hundred fifteen respondents and integrated qualitative and quantitative questions. Input strategies had been through radial button choice, a number of checkbox choice, and free textual content entry. Questions coated normal demographics and 6 subsections (conventional mementos, digital mementos, digital will, your legacy, these gone, digital archives) totaling 31 questions with the choice for suggestions on the finish.

Participants had been unfold throughout 22 international locations, with most respondents from North America (60%) and Europe (24%). Gender division was males (sixty one%) and females (39%). The majority of respondents had been working professionals (seventy five%), with lesser respondents as numerous sorts of college students (18%), with nominal respondents both a keep-at-dwelling dad or mum or as “different”.

Introduction

Dusty picture albums and containers of letters (conventional mementos) are being changed with laborious drives and cloud storage (digital mementos). Instead of fading pictures and ink, we now have the endurance of digital bytes. As we transition to this new kind of digital content material administration, traces of ourselves begin to manifest that will retain life far after we die.

In human historical past, there has at all times been a want to go away a legacy and be remembered. This occurs at varied scales whether or not as a civilization, tradition, household, or particular person—suppose pyramids to gravestones. In trendy instances, our channels of communication have shifted from conventional to digital memento administration.

This compulsion to seize our lives for posthumous remembrance is named thanatography. This paper explores interplay alternatives for a way our digital legacies may be eternal and retain relevance to these dwelling lengthy after our loss of life. This a brand new strategy to human-pc interplay analysis in submit-life digital humanities referred to as thanatosensitivity.

Cultural Legacies

An essential half of analysis for this thesis examined cultural legacies which have survived all through the generations. Studies included: on-website visits, interviews with anthropologists, audio guided excursions, commentary, and reflections leading to matter upsetting questions.

The purpose of this portion of analysis was to find how present behaviors and historic societies can encourage the legacy of digital content material for the next generations of technocrats. The following cultural legacies had been examined:

Traditional Mementos

Traditional mementos are sometimes simply significant to the person who owns them and so they doubtless don’t even keep in mind the final time they dealt with them. Comparatively, many individuals need to be remembered lengthy after their dying so the paradigm of coveting private objects as a technique to retain a legacy to go on to others is just not very efficient. The which means and worth of conventional mementos can simply be misplaced to the following sequence of receivers.

Digital Mementos

We are amassing gigabytes of photographs, movies, and emails and we wrestle to parse significant content material at related instances from the collections. Web companies like Flickr, or software program purposes like iPhoto add some readability with organizational strategies like date stamping or tagging. Facebook’s implementation of the Timeline additionally helps us to reßect on shared moments primarily based on years of our lives. Yet, why is a date, key phrase tag, or yr related after we die? Does this meta knowledge add worth to our digital legacy when individuals need to entry it later?

The Archive

The digital archive is a set of all digital content material that the particular person owned together with the digital pictures, video, audio, emails, tweets, and textual content messages from that one particular person. However, the traces between digital archives aren’t so distinct. Typically, digital media is shared with others. Our milestone moments and recollections have worth as a result of we expertise them with folks. Consider the shared mementos between a household, or tight community of mates. The digital archive of somebody who has died in that context is considered much less as ‘theirs’ and extra as ‘ours’.

Ownership

We settle for a broader possession of digital content material as we tag our pals, they usually tag us, and we every share the identical content material independently by way of totally different shops. With so many channels obtainable to entry and share digital content material, and a lot of our time now being devoted within the digital realm, there’s a bigger viewers accessible that’s unparalleled by our conventional mementos. There is larger alternative to replicate our digital selves ahead to be remembered by future generations and extra importantly, to offer worth for them by way of our digital archives for an extended interval of time.

Everlasting Presence

As traces of our digital selves persist after we die, there’s alternative leverage digital media so our lives can proceed to be significant for our family members. We can retain relationships with folks we care about and make our life experiences out there for his or her profit. In essence, we will persist digitally to some extent after bodily demise.

Current platforms that exist haven’t been constructed for the performance of put up-life content material administration. Facebook’s Memorial pages are static archives in an energetic public platform that don’t handle the sensitivities of particular relationships. The Timeline group of content material is sensible for our personal self-reflection in life, nevertheless, as a digital archive it doesn’t present direct worth for others.

Remembering the Dead

One of the largest challenges with digital immortality is retaining relevancy of our digital content material over time so our lives might be precious and significant to future generations. In the interval instantly after loss of life, household and pals mourn and undergo the grieving course of. After acceptance of the dying, the particular person is remembered by these surviving by way of recollections and mementos. If the particular person was recognized first hand in life, triggers reminiscent of a spot, date, or scent can recall shared moments. However, what occurs generations after the demise of somebody and people people who knew them in life additionally cross away? How can somebody who has been lifeless for a very long time retain a legacy in digital content material that will have which means to future generations.

Activating Archives

Now we have now the chance to leverage qualities of digital content material to help differing types of relationships into the long run. With the copious quantities of knowledge being collected and shared about our private lives, there’s alternative to remain linked in new methods after dying. Algorithms primarily based on persona and character traits can auto-put up on somebody’s behalf—as seen within the new on-line service LivesOn that will tweet for you past the grave. Similarly, providers like Dead Social and IfIDie permit customers to ship preplanned messages in social media after demise.

Intersections of Life

However, not represented within the present suite of publish-life digital companies are the advantages of shared life experiences and commonalities throughout digital archives after dying. Namely, the second of overlap between somebody’s life and a digital second from somebody who’s lifeless might be beneficial in numerous contexts.

These corresponding life experiences will be accessible from the archive of people who have died to supply a brand new foundation for empathy all through life phases of the dwelling that the deceased can contribute to. This offers a chance to find new views on folks you thought you already knew, or new commonalities with a relative you by no means knew in life. Commonalities and shared experiences are timeless. They retain worth in new methods to totally different individuals, for various causes, at totally different moments.

Because now we have varied levels of relationships with individuals, we frequently wish to share and bear in mind folks in numerous methods primarily based on how we knew them. Also, the sort and quantity of info we will wish to share will depend upon how shut we’re to them. Thus, utilizing public platforms to serve the aim of many levels of relationships will not be applicable. It doesn’t fulfill the specificity of private relationships, and imposes moments within the public sphere that will possible not be anticipated and doubtlessly not desired as nicely.

CONCLUSIONS

With new retailers for connecting to a bigger viewers, and with traces of ourselves which can be left behind in digital media, it’s extra essential than ever to think about features of possession, longevity, and relevancy over time of our legacy after dying. Different from previous traditions, the long run of digital content material administration permits us to preplan and increase our digital archive to stay linked with family members and people in our social community lengthy after we’re bodily gone.

Through my analysis, I consider present present platforms don’t leverage digital media adequately for submit-life legacy in an lively contextual manner, nor does it assist the wants of these near us as a platform for communication and reminiscence in our bodily absence. I consider the traces between particular person digital archives are blurred and there may be alternative for our life to retain relevance far after we die by leveraging the worth of commonalities throughout our digital archives. Through shared recollections and availability of empathetic experiences, our lives can have that means over time through the wealthy digital content material that aggregates all through our lives.

There is a brand new alternative introduced to us that didn’t exist earlier than with conventional mementos. Fortunately, we’re in management and will get to determine what it means to command our put up-life digital selves—ought to we select to.

ABSTRACT

Death is an uncomfortable subject for many people, and digital sys­tems are rarely designed to deal with this event. In particular, the wide array of existing digital authentication infrastructure rarely deals with gracefully retiring credentials in a uniform fashion.

This research paper highlights an emerging paradigm: grace­fully dealing with expired digital identities in a secure, privacy­preserving fashion. It examines the confluence of modern browser technology, cloud services, and human factors involved in manag­ing a person’s digital footprint while they live and retiring it when they die.

We contemplate a potential approach to dealing with credentials after death by using cloud computing. We consider the reasons that such an approach may actually provide an opportunity for enhanc­ing authentication security by frustrating identity stealing attacks.

We note that this paper is not aimed at trivializing the real grief and loss that people feel, but rather an attempt to understand how security and privacy concerns are shaped by the end of life, with the ultimate goal of easing this transition for friends and family.

1. INTRODUCTION

This paper considers the security and privacy issues involved in the management of digital identities during and at the end of life, and whether a technological solution exists that can ease manage­ment and increase assurance against digital identity theft.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The focus of this paper is on identifying what kind of changes in authentication technology might more easily support security and privacy goals in passing on control of critical online identity aspects. In short, how do we apply thanatosensitive design (see Section 6) to information security?

1.1 Digital Footprints

Death can be an unpleasant subject. Yet, as we get deeper into the digital age, each of us leaves behind an even greater digital identity footprint, and managing the retirement of that collection of digital identities is an important task that falls on family members and friends after someone dies. Both practical and emotional issues abound: how do I close this online bank account? Should I leave up their hobby Web page or Twitter account [5] as a tribute to their passion? What do I do with 7GB of their email?

We accumulate a startling about of digital debris, and this state­ment seems particularly true of those born from 1990 onward, as we can see with the surge in social networking and increasingly vis­ible online lives. The digital information age is young enough that most participants are only beginning to deal with the management of digital identity and privacy concerns when loved ones die. Our digital footprints go far beyond embarrassing Facebook images. The transformation extends to the economy, society, and govern­ment: social networking, e-commerce, and “digital government” delivery systems are where our banking, retirement accounts, travel, shopping habits, book reading, music preferences, food ordering, etc. all take place online.

At the same time, most of our current identity management in­frastructure is rife with problems as old as low-entropy, guessable passwords or password reuse across accounts. The HBGary Fed­eral saga reminds us that both weak passwords and password reuse across accounts is still rampant [2]. Clearly, there is a need for strong management of multiple independent digital identities (in essence, containers: see Section 4).

1.2 Personal Identity Retirement, Revocation, and Cleanup

Personal digital identity and credential systems are typically set up with little thought as to how credentials might gracefully be retired in conjunction with other aspects of your digital identity. Even retiring individual credentials for organizations and machines is a known hard problem: for example, although mechanisms exist for certificate revocation, its use is subject to substantial challenges (e.g., cache coherency, certificate revocation list size and update frequency) in many environments.

For the retirement of personal identity information, the problem becomes somewhat more delicate. We note that our definition of “cleanup” goes beyond just deleting the account and content. Most

individual authentication mechanisms seem to assume a worldview in which they are the only extant mechanism, and “unsubscribing” or deleting an account is as simple an action as logging in, navigat­ing to a settings or profile management page, and asking the site to permanently disable or delete the account.

This paper suggests that the paradigm of holistic digital iden­tity management is more complex than that assumed by any single authentication mechanism or Web site account.

1.3 Our Definition of Identity

When we say “identity”, we mean the collection of informa­tion about a user contained in services as varied as banking and social networking. Such information includes both server and user­generated content and data.

We see identity as including (1) credentials (i.e., usernames, passwords, passphrases, email addresses, public keys, certificates, identifiers, roles, password “hint” questions and answers, SiteKey phrases and pictures) used to authenticate to the service and au­thorize different uses, (2) user preferences for interacting with that online identity, (3) personal information (i.e., names, account num­bers, address, contact information, date of birth, sex) stored by the service, and (4) content (e.g., account balances, comments, links, likes, posts, medical ailments) generated during the interaction of the user with the service.

We stress that this definition is not a complete one (although the “content” component is meant to cover most data not contained by the other three identity components we specified), but rather a reasonable working definition of the major types of data related to an individual’s real identity that they may wish to control.

1.4 Motivation: Containing ID Breaches

Our motivation to examine the possibility of well-managed end­of-life digital footprint erasure or retirement stems from recent in­cidents highlighting the very old problem of poor quality, reused credentials in software systems ranging from desktops to web sites.

We were motivated to explore this topic by thinking about classic problems with password-based authentication that are particularly compounded in an age where the demand for login credentials from multiple Web sites and services increases the pressure on ordinary end users to take shortcuts, including weak passwords and pass­word reuse across multiple sites.

From a systems perspective, these identities are not compartmen­talized. Given the expediency of using weak passwords and the existence of security-weakening measures like password recovery questions, guessing, brute-forcing, or deducing login credentials is relatively easy. Furthermore, given the prevalence of password reuse, corrupting even a single low-importance account holds the potential for corrupting a larger slice of someone’s digital identity.

Although identity management systems like OpenID exist for making it easier and more secure (by reducing the proliferation of weak authentication schemes and “roll your own” crypto, or so the claim goes) to log in to multiple web sites, web applications, and software, OpenID faces its own set of challenges and still supplies a single point of identity failure; a compromise of the main OpenID account leaves a large part of your digital identity open to access and manipulation.

What seems needed, then, is a system for creating identity con­tainers that (1) use strong credentials like completely random pass­words, (2) are strongly isolated from one another (i.e., a compro­mise of one set of credentials does not directly lead to a compro­mise of even a single other digital identity component), and (3) does so in a fashion largely transparent to the end user (in other words, a user has no chance to create a weak password or reuse a password because they are removed from these decisions).

Assuming that such a software system and service could be built (we sketch a design in Section 4) and done so in a way that is us-able and transparent, we next thought of the implications the de­ployment of such a service would have. For example, centralizing the management of all your online identity “aspects” opens up the possibility of greater control and greater abuse. But perhaps more fundamentally, given that our online digital identities are likely to grow by accretion as larger segments of society in the developed world move online, it is natural to ask: what happens to all this ac­cumulated information when we die? What are the design consid­erations for our identity authentication mechanisms such a system might interact with in the eventuality of death? In other words: how do we design authentication mechanisms that explicitly provision a mechanism for dealing with the death of the account holder and passing control to a designated beneficiary (or set of beneficiaries)?

1.5 Contribution

This paper attempts to examine the issues involved with the multi­lifespan management of digital identity. It examines the paradigm of how to contend with authentication and credential management of a single real person after their death. The key challenge is to gracefully deal with expired digital identities in a secure, privacy­preserving fashion. We examine the confluence of modern browser technology, cloud services, and human factors involved in manag­ing a person’s digital footprint while they live and retiring it when they die. We pay particular attention to the design of an authenti­cation and identity management infrastructure aimed at containing identity theft to a particular “identity container” stored in the cloud.

Proactive deletion of information carries a cost. Traditional au­thentication technologies present roadblocks to coherently and cleanly retiring a digital footprint in a single fell swoop. How can we better manage authentication credentials from the point of view of prepar­ing for the event of death?

1.6 Assumptions

We make several assumptions that not all might agree with. First, it is a desirable goal to ease the management of the decisions that the bereaved must confront. Second, account holders wish to pass on parts of their digital identity to a variety of survivors. Third, al­though deaths are significantly less frequent relative to “common” authentication actions like logins, they are of sufficient importance so that the mechanism should deal gracefully with matters of trans­ferability. Finally, we leave open the question of how to encourage people to undertake planning; we note that people delay other re­lated concerns like retirement planning and life insurance. We be­lieve that those concerned enough with their digital legacy would like some kind of unified management of their digital identity, and we suggest that increasing amounts of modern life will transition to the digital arena, making the task of retiring a digital identity more common or needed than traditional physical interactions like visit­ing a brick-and-mortar bank to close an account – particularly due to scalability issues in terms of the relative amount of physical vs. virtual interactions people are likely to have.

2. DIGITAL IDENTITY FOOTPRINT

How large are our digital footprints?1 As an anecdotal approach to answering the question, one of the authors has over 300 entries in a password database containing credentials for multiple Web sites, devices, and machine accounts. We suspect that many users can own to significant numbers of accounts and credentials, each form­ing a part of their total online identity.

Furthermore, it is likely that our digital identities will only grow more complex. As new services come online, and early adopters and the general public create accounts, these services may wane in popularity (see, e.g., MySpace). People are therefore likely to accrue accounts (for example, MySpace to Facebook to Google+). There is little incentive to proactively delete old accounts and email addresses; users simply “move on.” Second, as institutions like the Federal Government start to require online interaction (and in­stitutions like banks make it more attractive by charging fees for in-person services), large segments of the population will have no choice but to move to some form of online interaction. Figure 1 shows how data.gov requires a form of authentication in order to access some data. Setting aside privacy concerns, this type of inter­action is likely to become more common for otherwise innocuous reasons like tracking the value of the contractor or the popularity of certain content. In some sense, because online authentication has become easy enough to deploy as a service, there is little incentive not to employ it, but such practices only increase the complexity of dealing with retiring multiple digital identities.

These online accounts naturally have varying importance. A community newsletter may have less relative importance than an account with the Bank of Montreal (BMO). And these accounts may have varying levels of importance in the time following our death. The bereaved will certainly have to dispose of virtual (e.g., frequent flyer miles, fantasy baseball rankings), physical, and fi­nancial assets, but may also have emotional needs to satisfy by more deeply analyzing the digital aspects of a loved one’s iden­tity. Yet, wading through all these accounts (or even gaining access to the machine where the bulk of credential information is stored) may be a large technological hurdle for most people.

Our kin and executors have an interest in and important respon­sibility to dispose of our financial assets, but these may be scattered across multiple banks, financial institutions, and credit companies, all of which have an increasing online presence and a diminish­ing brick-and-mortar presence. They may have to work with our online tax preparer, multiple retirement accounts, multiple banks (possibly in multiple countries), and several credit card companies. Estate management by our family and executors is no easy task, and the amount of digital interaction and access through an inaccessible set of credentials only makes the task more daunting.

Our family and friends may have an interest in our online social circle (and we may have an equally strong interest in preventing them from discovering it); those in it (e.g., Facebook, LinkedIn, Twitter) may wish to learn about our passing.

Our professional circle (professional organizations like ACM or IEEE, our colleagues, research partners, funding agencies, students, scientists) also has an interest in learning about one’s passing and possibly obtaining access to research material, code, reports, arti­cles, and other intellectual property.

It seems, then, that most of our online lives will need to be dis­posed of in some way, but existing authentication frameworks don’t make this an easy task. Furthermore, we should have the ability to control such dissemination in a fine-grained fashion; one should be able to specify which sites, accounts, and identity aspects are available or accessible to which type of “identity beneficiery.”

2.1 Value of a Unified Approach

A unified approach to digital identity retiring and cleanup offers control to both the bereaved and the deceased. Our family mem­bers are likely to only think of financial and work benefits issues in the short term. In time, they will likely want or need access to a larger piece of the decedent’s digital identity. A unified frame­work for identity management could provide quicker access (vs. going through legal channels), and it could help the bereaved by-pass the types of restrictions that we see in the Yahoo terms of service imposed on accounts of the deceased. Such an automated mechanism would also relieve service providers of the burden of verifying death certificates or retrieving backups of deleted data for persistent kin. It also offers a degree of control to us while we are alive: we can specify which people will have post-mortem access to specific files and data. Such a facility could be particularly helpful in awkward situations (hidden bank accounts, etc.).

2.2 ID Management

Today, we may depend on a privately stored file, a paper folded in our wallet, or our browser to store the URL, username string, and password required for entry into these sites. We may reuse a single contact email across accounts and even use (and reuse) a weak password. Password recovery hints (or links) for many sites are sent to our contact email account. All these factors make it easy for attackers to hijack a significant part of our digital presence by compromising only a single set of credentials.

3. SURVEY OF TERMS OF SERVICE POLI­CIES

Revoking single, purely digital credentials such as X.509 certifi­cates is a known hard problem. Gracefully retiring personal iden­tity information poses a somewhat more difficult problem. In fact, some Terms of Service contain provisions that make such cleanup difficult, even for those that survive the account holder.

While some services (notably Amazon2) neglect to specify how accounts should be terminated, other services do sometimes contemplate death within their terms of use. For example, the Yahoo terms of service3 state:

No Right of Survivorship and Non-Transferabiity. You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.

Even when thought is given to handling the retirement of an ac­count, its usability seems quite low. For example, email accounts might be set to expire after a year or so of inactivity. The Yahoo YMail Terms of Service state that an account may be suspended for a variety of reasons, including “…(e) extended periods of inactiv­ity,…”, and that the actual enactment of such a suspension may take one of several forms:

(a) removal of access to all or part of the offerings within the Yahoo! Services, (b) deletion of your pass­word and all related information, files and content as­sociated with or inside your account (or any part thereof), and (c) barring of further use of all or part of the Ya­hoo! Services.

Such terms of service seem to provide little in the way of comfort or usability for those mourning the loss of a loved one.

3.1 Overview of Policies

We examined policies for several types of accounts (Banking, Social, Healthcare, Cloud Services, and Email) across the United States, Canada, and the UK. This study is still ongoing; we present our partial results in Table 1 and anticipate having more by the workshop.

Some reviewers asked us to take a more international view on this topic; we are in the process of gathering data for multiple countries (primarily English-speaking, e.g., US, UK, Canada, Aus­tralia). In Table 1, there are a few things to note. USAA does not have a death or transfer clause, but states that certain provisions will remain in force past the Agreement termination. Wells Fargo’s on­line account terms of service only talks about death in reference to terminating a “Delegates” access (a Delegate is defined as someone with temporary legal control of the account).

English-speaking Canada does not have separate Facebook do-main (instead it uses facebook.com). Google Health (which is wind­ing down) does not provide any survivorship clauses in the Google Health TOS, Google Health Privacy Policy, or the Google Account TOS. We plan to expand the E-health category with TOS from E­health agreements of Canadian Provinces and US States.

We note that most services contain language about the user’s re­sponsibility not to share login credentials or let others use the ac­count. Very few talk explicitely about death, the bereaved, or ex­ecutors; of the ones that do (such as Yahoo!) they typically forbid such transfer.

4. CLOUD IDENTITY CONTAINERS

In this section, we sketch the design of a system meant to manage multiple independent aspects of our online digital identities. A side effect of our attempt to consider the trustworthiness properties of such a digital identity management “solution” is to consider how this framework might be used in the event of the identity-holder’s death.

4.1 Observations

Users already trust their web browsers to store a collection of usernames and passwords for a variety of different Web sites; one author has nearly 180 entries representing over 100 Web sites in one of his frequently-used browsers, another has about 85, and the third has 15.

Users should not have to invent or create strong password mate-rial. A trusted agent (such as a browser extension) running locally can do this task. This includes answers to things like “password hint” questions. Some browser extensions (and Apple’s Airport Utility) already provide such a “strong password” creation service. More generally, users should have the burden of of managing and remembering credentials removed from them.

Aspects of a user’s digital identity should be strongly separated from other aspects. For example, a user’s Amazon cloud services account should not share an email address, username, or password with a photo sharing Web site. An attacker that manages to learn the Amazon credentials should not be able to access the photo sharing Web site and vice versa. In essence, an identity management solu­tion should provide “identity containers” that are strongly isolated from each other.

Storing credentials and other account information locally on disk or semi-persistently in the browser’s memory is less trustworthy than storing them in a special purpose, remote access facility.

Remote management of identity credentials offers users the abil­ity to bypass restrictions like deletion of their personal information should they die or be otherwise unable to access the data.

4.2 Design

We envision a browser extension that augments current “pass­word management” browser (and extension) functionality. Such a browser extension would:

intercept the process of creating credentials for each new Web site or Web application

pass through any CAPTCHA-style queries involved in cre­ating these new digital identity aspects to the user via the browser interface

store this digital identity information in a cloud storage ser­vice

retrieve this information when the browser attempts to log into a web site due to user action

One criticism here is that we still need to authenticate the fact that a user initiated a log-in to a particular website, and that re­lying on the user to supply weak credentials essentially protects high-value credentials with low-value credentials. We are open to suggestions about a more secure mechanism.

4.3 Cloud Storage

Rather than storing credentials locally where they may be sub­ject to theft by malware, the extension can forward them to a cloud storage service; this service essentially becomes a trusted identity container provider. This provider can encrypt and distribute these identity containers in ways that make it difficult for an attacker to subvert or steal multiple credentials at once. Furthermore, since the browser extension creates individual profiles and contact infor­mation (e.g., email address) for each credential, an attacker that gains control of a single credential or email address (for example, via disclosure by the email provider) will only have access to that particular identity information. This type of service is particularly useful to survivors that do not have local access to the decedent.

Why Cloud?

One observation we received in early reviews of this paper was the question: “why is cloud computing involved here?” We men­tion the use of cloud computing not in an effort to jump on some hype-fed bandwagon, but rather as a reasonable, modern platform for delivering an identity management service to end-users. Our focus on cloud is mainly to help focus the shape of an independent identity inheritance / management service along concrete lines. What is important about this service is the business model, and the col­lection of technologies and techniques behind what might be cur­rently termed “cloud computing” provides a relatively low barrier to entry for those wishing to provide such a service. In some re­spects, projects like KeePass that can store their password database in Dropbox are early versions of such a service, but lack the man­agement and inheritance components we discuss below. In any event, the specific technology is less of a focus; we suggest browser extensions and cloud storage only a means to show how such a ser­vice may practically be deployed with current technology.

4.4 Handling Identity Inheritance

The user should have the ability to arrange with the cloud provider which set of identity containers is revealed to which set of sur­vivors. In other words, the user specifies which aspects of their digital identity are forwarded to which “identity beneficiary” upon their death.

The user can also choose what combination of events might trig­ger a transfer of identity information; certain containers may be released if the user fails to respond to a keepalive test (e.g., some­thing like deathswitch.com or a semi-annual email reply requiring a human rather than automated answer), and certain other contain­ers may be released only on presentation of a death certificate and other identifying information.

The identity container provider could also offer to save (inde­pendent of the functionality of a specific identity container) other critical physical or virtual documents (e.g., SSN card, birth certifi­cate, legal or financial documents) to be delivered with control of the container to the survivors.

4.5 Service Partners

One substantial obstacle to such a system is the required “net­work effect” of getting multiple Web sites to buy-in to allowing their users to use this service.

While the service could be deployed without the permission of the Web sites that the user interacts with, the user might be violat­ing the Web site terms of service by allowing others to access the account after they have passed.

As a practical matter, getting broad acceptance for such a service will likely be made easier by gaining the cooperation of various service providers; they should be persuaded to include exceptions for such services in their conditions of use and terms of service. Sites would have to “buy in” to the service. One way they may be convinced to do so is that users might be attracted to their ser­vices if users know that the services are certified or compatible with transfers of ownership in the event of death. Furthermore, these service providers (e.g., Google, Amazon, Microsoft) face a scala­bility problem: it may pose significant workflow problems to have to manually respond to everyone with a death certificate seeking access to a loved one’s data. Handing off this service to a trusted third party may provide an attractive solution.

Another obstacle is the economic model for this service. It would be too close to extortion to ask survivors to pay a fee for access to someone’s data; a subscription model, where the cost is borne by the user while they are alive (similar to a life insurance model) seems much more workable. Still, the identity container provider faces significant risks from external attacks because it is a publicly known source of credential information. A serious compromise could lead to multiple identities being disclosed, and the potential for an insider attack might be significant. These pressures might in­crease the cost of protecting such a service far beyond what people might be willing to pay.

Furthermore, although large organizations like credit rating agen­cies might have the financial resources to take on such a service, they may have a conflict of interest in administrating this informa­tion, and are likely to view it as part of their intellectual property, rather than seeing their role as a trustee of sensitive third-party in­formation.

5. DISCUSSION

One of the best ways to avoid information disclosure is not to store data in the first place, but such restraint is not common, and proactive deletion of information carries a real cost (time and en­ergy spent to trace information and securely erase it). Traditional authentication technologies present roadblocks to coherently and cleanly retiring a digital footprint in a single fell swoop. How can we better manage authentication credentials from the point of view of preparing for the event of death?

We wish to facilitate discussion at the workshop on the following questions:

Is it possible to design even a single authentication mech­anism that gracefully handles the event of death? Setting aside the question of how to federate or manage multiple identities, can a single authentication mechanism gracefully expire credentials or automatically delegate them based on “real world” measurements like the existence of a death cer­tificate? Are “heartbeat” services like deathswitch.com re­ally the best solution?

Do the dead have a right to privacy? It does not appear to be the case, but they may still have property rights; the CNET article “Taking Passwords to the Grave” [17] quotes Marc Rotenberg, executive director of the Electronic Privacy In­formation Center: “The so-called ’Tort of Privacy’ expires upon death, but property interests don’t,” he said. “Private e-mails are a new category. It’s not immediately clear how to treat them, but it’s a form of digital property.”

Given that the most likely legal framework to apply is that of property rights, How does digital identity information com­pare with other physical “material” property belonging to the departed?

How large are current digital identity footprints? A well­done user study exploring this data might shed light on the complexity of managing multiple identities.

Do the dead have the right to specify the enforcement of com­partmentalization of their digital footprint? It seems clear that users engaging in any form of estate planning should have firm footing to specify how to dispose of their digital identity.

Who “owns” a set of digital credentials: the user or the ser­vice they are meant to authenticate to? If a third party gener­ated them (e.g., a browser plugin on behalf of a company or developer), does the third party have any rights? We may be wading into legal murkey waters here (we just don’t have the background to know) – but it seems like any comprehensive definition of “identity” (like the one we gave in Section 1.3) would likely include elements that service providers would think of as their property, setting up a conflict over control of these assets.

What are the usability concerns of an identity protection sys­tem meant to ease transition of digital identity information upon the event of the owner’s death?

Under what conditions should a provider of such an iden­tity container storage solution be compelled to release this private data? What is the legal framework that should be applied?

How do survivors prove to the ID container provider their identity? Some services offer to provide data to survivors or executors, but only after a significant amount of paperwork.

What are the reasonable constraints on the cost of this ser­vice? Is an insurance model the most ethical? A centralized identity management solution seems distasteful (witness the reaction to the US National Strategy for Trusted Identities in Cyberspace), but for a marketplace of such services, can they ethically make money when they might be seen to be goug­ing the bereaved? Does an insurance model for the deceased work?

How liable should the identity container provider be for dis­closure? Do special penalties apply? If there is a viable business or public service in running such a provider, do they have a special responsibility to procure “above average” pro­tection, auditing, and mitigation techniques against cyberat­tack?

Is adding yet another layer of management to digital iden­tity just compounding the problem? People already struggle

with identity overload (and compensate in ways like pass­word reuse and weak passwords); although a cloud-based identity provider framework seeks to decrease this cognitive load, adding yet another layer of indirection to a fractured authentication landscape might be a cure worse than the dis­ease.

Our identity is different than existing web services; we offer fine­grained control rather than an unlocked vault.

6. RELATED WORK

A significant amount of work exists on the topic of authorization and authentication; this subfield is a staple of the information secu­rity discipline. This paper deals with the usability of authentication schemes (more precisely, digital identity management schemes). Recently, the topic of usable security — particularly usable authen­tication schemes — has received a great deal of attention. Graph­ical password schemes were suggested as an easier-to-remember alternative to traditional weak passwords, but even these schemes have weaknesses suggest Biddle et al. [1]. The PassThoughts [22] paper from NSPW 2005 explored the feasibility of a mentally­driven approach to authentication.

6.1 Identity Management Failures

It seems that however much attention we pay to creating usable authentication mechanisms, identity management remains a chal­lenging task. The recent Epsilon episode [21] shows us a fail­ure mode of outsourcing user identity information to a third party. From Target and Best Buy to Citigroup and Marriott, valid user names and email addresses were disclosed by a single intrusion [4].

Recent headline-grabbing attacks by movements like Anonymous and LulzSec demonstrate the ease with which PII and account in­formation can be obtained and released, along with reminders of how poor real-world password practices are (see, e.g., Figure 3; this screen capture was taken from the “Police-Led Intelligence” blog [19]). In other LulzSec-related news, Troy Hunt performed an analysis of Gawker and Sony passwords, finding, among other things, that 50% of passwords were less than 8 characters, only 4% of those passwords contained three or more types of characters (and only 1% included a non-alphanumeric type), and fully “two­thirds of people with accounts at both Sony and Gawker reused their passwords.”4. An earlier companion article lists the 25 most popular passwords for Gawker and rootkit.com, and these two lists bear a great deal of similarity to the Sony set5.

6.2 Death and Computing

In recent years, computer scientists and system designers have begun to understand the implications of death as it affects the so­cial, technological, and personal dimensions of computing. Human­computer interaction (HCI) researchers have recently embarked on a series of studies seeking to unravel the complexities associated with death and computing. A CHI 2010 workshop (“HCI at the End of Life: Understanding Death, Dying, and the Digital”)6 ex­plored this topic and was organized by one of the co-authors of this paper.

Massimi and Charise first drew attention to this area by envision­ing a system design process called “thanatosensitive design” which, death is an issue so immense that it often requires the expertise of multiple disciplines, including law, psychology, medicine, social work, and more. Researchers in human-computer interaction have suggested technology design at the end of life be framed in an ap­proach borrowed from development psychology – that of looking at the human lifespan [16]. In so doing, stakeholder groups and important themes are highlighted. This framing also suggests that the individual’s orientation towards death be considered throughout their own, and across multiple, lifespans. The application areas and needs throughout the lifespan shift; for example, writing a will is an activity often seen as impractical during youth, but immensely important as one grows older.

Beyond framing the space, HCI researchers have also sought to understand the social processes and tools that are involved dur­ing bereavement. One study investigated how personal technolo­gies such as PCs and mobile phones are handled following a death in the family, and found that inheritance of such technologies is a complicated and difficult process, with passwords and biomet­rics commonly causing problems in accessing crucial data post­mortem [13]. At the same time, these technologies symbolize a relationship which survivors continue to cherish, and they use tech­nologies to continue the relationship in many ways. For example, Odom et al. describe a woman who buried her loved one with his cell phone so that she can continue to send him text messages [18]. The unique needs of the bereaved, and how technologies might be sensitively designed around these needs, has also been inves­tigated through focus groups and interviews with bereaved parents and thanatology professionals [14]. One specific need from this study included the desire to be sheltered from others and the world immediately following a death, with the suggestion that we design technologies to shelter as much as they might connect.

Social networking websites such as MySpace and Facebook sim­ilarly permit relationships to endure past death. One study of MyS­apce found that the bereaved employ these websites to maintain rituals and write to the deceased, with predictable patterns of use during special occasions such as birthdays, death days, holidays, and so on [3]. Textual messages posted to profiles of the deceased comprise the majority of the interaction on such sites. In a re­cent linguistic analysis of messages posted to the walls of deceased Facebook users, Getty et al. found that several forms of grieving ac­tivities (e.g., sharing stories, expressing emotion) traditionally per­formed at memorial services are now taking place on these sites [8]. They place this finding in terms of Goffman’s “dramaturgical” ori­entation towards social performance, which describes “front stage” and “back stage” activities that work together to create social sit­uations [9]. In so doing, we see that many back stage activities (e.g., expressions of grief) are becoming visible to larger audiences on these social networking websites, alongside other more cultur­ally acceptable forms of mourning. In the case of Canadian author and blogger Derek K. Miller [20], his friends and family used his pre-written last blog post as part of the grieving process.

Still other work has focused on what death means at a more cul­tural, widespread level. Technology plays a role in the recording, storage, curation, presentation, and stewardship of cultural histo­ries. The Spomenik project – a form of “pervasive monument” – for example, allows mobile phone users to retrieve location-specific in­formation about the mass grave sites from Stalinist purges of Slove­nia and Yugoslavia in the 1940s [12]. Other researchers have used digital technologies to capture, organize, and disseminate testimo­nials from the Rwandan Genocide, remarking on the set of methods needed for designing multi-lifespan information systems [7].

Commercial products have also been designed to accomodate the unique needs that accomopany death in the digital age. For exam­ple, companies such as Entrustet permit users to upload sensitive information with the assurance that the information will be deliv­ered to designated people upon the user’s death (http://www. entrustet.com). Deathswitch.comallows users to sign up for prompts to ensure that the user is still living; in the event that the user does not respond to the prompt in a timely fashion, the web service will automatically send out emails to designated parties. Other websites offer users the opportunity to plan out their own funerals (e.g., http://www.memorialhelper.com).

6.3 Advice

Recent articles consider best practices for keeping track of digi­tal identity assets after death. Lifehacker [6] recommends making a list of your accounts, reviewing them to determine which you might want to survive or “go dark,” and placing the authentication credentials on a USB token along with detailed instructions about actions to take with each account. A 2006 CNET article [17] de-scribes advice from estate planners to put this information in an es­tate planning document (where it will have legal force). The recent Wall Street Journal article “PINs that Needle Families” [10] pre­scribes similar advice. We note that although this approach (writ­ing authentication credentials down on paper) seems appealing and intuitive, it only provides a static snapshot of your digital identity.

7. WORKSHOP DISCUSSION

The lively workshop discussion explored different directions and attempted to understand how this topic might present new and unique security and usability challenges.

The discussion began with a brief, informal straw poll of work­shop participants as to how large they thought their digital footprint was in terms of number of accounts; answers seemed to fall into two clusters: 19 responses in the 100 to 750 range and 7 responses in the 50 to 80 range, with one guess at around 1000 and one person declining to answer.

Our moderator, Richard Ford, asked what our definition of digital footprint was, and we moved to our slide with the definition from Section 1.3.

The question arose as to how much control you actually have over your digital assests after your death; we highlighted the advice from the CNET [17] suggesting the theory that property rights may persist, but Steve Greenwald asserted that all rights cease when you die, whether property or privacy.

During the ensuing discussion, we highlighted the point that peo­ple will have to deal with this issue more and more in the future; Angelos Keromytis suggested that perhaps we were really advocat­ing a form of “family-based key escrow”, to which we concurred.

One participant asked whether there were similarities to the garbage collection process; we felt this might be a bit of a stretch of the analogy.

Lizzie Coles-Kemp suggested that this paper was closely related to the activity of the digital curation community (in both traditional and “active” forms), but they were not looking directly at authen­tication techniques. We certainly agreed. She also made the point that some social institutions are set up to deal with power of attor­ney while others were not. We feel this reinforces one of our key points: that no uniform, cohesive approach exists to this problem.

MEZ pointed out that companies often have explicit rules and business processes to deal with such events and eventualities; we concurred, but suggest that they are out of scope: money is at stake and they have evolved and implemented the necessary structures to take care of their slice of someone’s authentication footprint. The issue in this paper is that families and friends seldom have a workflow process for dealing with someone’s death.

One participant asked about what happens when a company hold­ing some of your digital footprint itself ceases to exist; we admitted that the ownership rules here are murky (this is one of the potential issues we list in Section 5).

Someone made the point that personal security figures into most security scenarios: now, by offloading crendential management, the risk to life and limb might decrease in favor of a break-in at the remote storage facility.

Jeremy Epstein suggested that one way to influence the NIST NSTIC was to select providers that had a specific policy for this issue.

As the discussion came to a close, there was some agreement that there might be some very interesting usable security issues lurking here, especially with the proposal to create an identity mediator and make delegation natural. We also received links to some in­teresting projects, including an EU project (www.primelife.eu) and (digitaldeathday.com).

8. CONCLUSION

Many information security paradigms seem to ignore the human element in security problems and scenarios. Even disciplines that take human interaction into account (e.g., HCISec or usable secu­rity) seldom examine long-term phenomena.

A good expression of this paradigm is in the eventual shift of large parts of our society and economy into the online realm (e.g., banks that are completely online): it is likely that we will have to deal with organizations electronically.

The accrual of a heterogeneous, distributed digital identity foot­print presents unique and interesting authentication, authorization, and privacy issues — particularly related to how such an identity collection should be retired after a person dies.

Acknowledgments

We appreciate the reviewers’ comments and the guidance of our shepherd, Michael Franz. We also appreciate the responses and feedback we received during the workshop: we apologize in ad­vance if we mis-remembered or misrepresented anyone’s comments or point of view. Thanks also to the scribes for our session, Matt Bishop and Cormac Herley.

Locasto acknowledges the support of Canada’s NSERC (Natural Sciences and Engineering Research Council) through a Discovery Grant. Massimi acknowledges support from the GRAND NCE (a Canada Network Centre of Excellence).

[12] KOSEM, J., AND KIRK, D. Spomenik: Monument. In CHI 2010 Workshop on HCI at the End of Life (New York, NY, USA).

[13] MASSIMI, M., AND BAECKER, R. M. A Death in the Family: Opportunities for Designing Technologies for the Bereaved. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (New York, NY, USA, 2010), CHI ’10, ACM, pp. 1821–1830.

Federal Criminal Legislation. The Federal Government enacted the Computer Fraud and Abuse Act (CFAA”) in part to criminalize internet theft, data theft, computer hacking, and other forms of internet crime. As written, CFAA criminalizes the unauthorized access to any computer, online service or online account. Unfortunately, to determine who may and may not access a specific account, even with the explicit permission of the account holder, you must read the service or account provider’s Terms of Service contract. As an example, Facebook’s Terms of Service Agreement prohibits anyone from logging into a user’s Facebook account, other than the user themself, even with the permission of the user. Therefore, a family member, friend, or even a fiduciary that logs into a Facebook account, using the password provided to them by the user themself, has violated the Terms of Service contract and is now committing a federal crime under the CFAA. Fortunately, the Department of justice has made it clear that they are not looking to enforce the CFAA when dealing with simple violations of online Terms of Service contracts, unless there are other more criminal factors involved. However, as advisors to our clients, and to fiduciaries such as Power of Attorneys, Executors, and Trustees, can we ethically advise clients to access digital assets and accounts where we know that they will be committing a crime under the CFAA? Further, if our fiduciaries do decide to access such accounts and commit a crime, how will we respond to a challenge from an unhappy beneficiary who is aware of the access and its violation of the CFAA?

B. Federal Privacy Legislation. In addition to the criminalization of unauthorized access of digital assets and online accounts, the Federal Government has also passed the Stored Communications Act (“SCA”) which creates a right to privacy for data and information stored online. Similar in nature to the federal health information privacy act (often referred to as HIPAA), the SCA creates specific guidelines as to whether, and when, providers of electronic communication services and holders of online data can release the information. As you will see below, these protections can create significant hurdles for family members and fiduciaries who attempt to access information stored online with these service providers and content holders.

1) Law Enforcement Agencies may compel the release of the information otherwise protected by the SCA through the use of subpoenas and other legal procedures.

2) Service providers are prohibited from disclosing information, or granting access to accounts, to non-Law Enforcement individuals (family and fiduciaries), unless one of the statutory exemptions are met. While there are exemptions for specific situations such and employment related emails being released to an employer or being disclosed during a lawsuit against a business, the main exemption that we should be aware of and plan with is the “Lawful Consent” exemption found in Code Section 2701(b)(3) of the SCA. This exemption allows a service provider to voluntarily turn over (or grant access to) stored information if the recipient has the lawful consent of the creator of such digital asset to access such information. However, this exception only provides that the service provider MAY turn over the information, but does not require them to. In fact, there are several national cases where service providers have chosen not to disclose the information. In these situations where the recipient actually had lawful consent, the courts indicated that the SCA exemption does not mandate the disclosure of the stored information, and that the courts could not compel the distribution of the information under the SCA even through legal proceedings.

C. State Criminal Legislation. Every state in the United States has its own version of computer and online fraud statutes that it uses to be able to bring state law charges for online theft, fraud, hacking, and other internet and computer crimes. In Florida, we have Florida Statute §§ 815.01-815.07 (“Florida Computer Crimes Act” or “Florida CCA”), enacted in 1979, which provides our state legislation. Typical violations under the Florida CCA are

unauthorized access of another user’s account

unauthorized modification, deletion, copying of files, or programs

unauthorized modification or damage of computer equipment.

However, Florida-based businesses usually prefer to pursue cases under the federal CFAA for relief because the Florida CCA allows plaintiffs to bring the civil action against a hacker only after a criminal conviction is successful.

State Fiduciary Powers. Given the lawful consent exemption to the SCA that was discussed above, several states have amended their state statutes to provide that fiduciaries in their state shall be deemed to have lawful consent to access online information under the SCA. This is intended to open the door to allow service providers to voluntarily disclose stored content without the fear of having to determine on a case by case basis whether the fiduciary of an account holder has been given lawful consent. Unfortunately, to date, only five states have enacted such laws (Connecticut, Idaho, Oklahoma, Rhode Island and Indiana), and another 18 states have a relevant bill introduced (California, Colorado, Maine, Maryland, Massachusetts, Michigan, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Virginia), with the majority of the pending legislation introduced in the last 2 years. Unfortunately, even the enacted statutes provide little guidance in the form of definitions and procedure, and therefore while certainly a step in the right direction, these enacted and pending statutes have a long way to go to fully fix the access problems.

Website and Service Provider Contracts. Online service providers mandate that all users agree to the provisions of a Terms of Service Contract (“TOSC’s”) which governs the actions of both the service provider and the user. Unfortunately, the TOSC’s are a take it or leave it situation, and can not be negotiated by the user. Can you imagine if each user could independently negotiate the terms of his or her contract with iTunes or their email service provider? Therefore we are relegated to accepting the often one-sided terms mandated by the service provider. These TOSC’s often restrict who may access a registered account or service to the individual that created the account, thereby eliminating any flexibility for fiduciaries or other authorized people from accessing the account. Likewise, such TOS’s will usually create restrictions on the ability of someone other than the user to reset or obtain password. In general, it’s the restrictions found in these TOCS’s that set up our fiduciaries for failure under the CFA and SCA.

The operation of the Australian Communications Consumer Action Network is made possible by funding provided by the Commonwealth of Australia under section 593 of the Telecommunications Act 1997. This funding is recovered from charges on telecommunications carriers.

This work is copyright, licensed under the Creative Commons Attribution 3.0 Australia Licence. You are free to cite, copy, communicate and adapt this work, so long as you attribute the authors and “University of Melbourne, supported by a grant from the Australian Communications Consumer Action Network”. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/au/

This work can be cited as: Bellamy, C., Arnold, M., Gibbs, M., Nansen, B. and Kohn, T. 2013, Death and the Internet: Consumer issues for planning and managing digital legacies, Australian Communications Consumer Action Network, Sydney.

Acknowledgements

The authors would like to express thanks to the ‘key informants’ in this study whose views were invaluable in guiding the direction of the report and helping us to map the complex terrain of managing digital legacies. Many of the key informants are from leading archives, telecommunication companies, religious organisations and online memorial companies but due to ethical considerations cannot be named personally in this report. The support from The University of Melbourne and, in particular, the Interaction Design Lab in the School of Computing and Information Systems has been invaluable through the provision of a supportive research environment. We would also like to especially thank the Australian Communications Consumer Action Network (ACCAN), who supported this research through their grants scheme and were proactive and generous in their impartial and professional feedback on drafts of the report.

Executive Summary

The growing use of software applications in the home, the workplace, and in public places has resulted in the increased production and use of personal digital files. These digital files may take the form of emails sent to colleagues, photos of family and friends taken on a camera or smartphone, music downloaded from a number of different services, or videos taken at weddings or birthday parties. In this environment of increased data production and usage, unavoidable questions arise as to what happens to these files when a person dies. This report considers this question in regards to a broad spectrum of digital media types and services with a particular emphasis on describing the current ownership and privacy issues, which are key to understanding how digital files may be bequeathed to another person.

There is, in general, a lack of understanding about the rights consumers have over the digital files they buy or produce that has implications in the context of death. The purchaser of a physical product such as a book, a CD, or a DVD has certain ‘normalised’ rights over the product such as to give it to another person. This is termed ‘the right of first sale’. This allows for gifting, lending libraries, secondary markets of copyrighted work (such as book stores and second-hand record shops) and for bequeathing a collection of books or CDs to relatives and friends. However, regarding digital products and services such as eBooks and music streaming services a different set of distinct and separate relationships are in place and it is not always clear what the consumer’s rights are in the context of death and the bequeathment of digital items.

Consumers need to be made aware that when they press the ‘buy’ button on an eBook or music file that they are not really buying anything at all. The appropriate term is ‘rent’ or ‘loan’ as there is usually no transfer of property in the transaction, only a limited right to use. In addition, the delivery methods of digital products are changing rapidly so increasingly there is no physical copy of the digital products, coupled with the inherent ‘right of first sale’ licence embedded within the physical copy. The situation is bound to become even more convoluted with the increase of cloud services to deliver entertainment and other software services where there is no transfer of a digital file or ‘property’ in any meaningful sense of the word from one party to the other. Thus, the ability to bequeath something to another person is challenged if it is not owned in the first place, or if there is no local copy.

The issues of ownership of digital files and their transfer to another person, contractual obligations, and the maintenance of digital files over time are key issues in the emerging digital economy. Although it is not possible to comprehensively explore these debates across all the industries and services that make up the digital economy here, what we can do is outline some of the innovative and practical responses to the management of digital legacies and the key issues that surround them for consumers. Some of these responses include new services to allow the download and storage of data locally and then the ability to request, for instance, that all the data held by the online services is deleted upon death. Other responses include ‘digital lockers’ where passwords and important digital files may be stored and accessed by an Executor of a Will, friend or relative upon death. Many

legal professionals and estate planners suggests the inclusion of a ‘digital registrar’ in a will that states the location and passwords of digital accounts with additional instructions such as ‘delete all files’ or ‘create an online memorial’.

Digital files of all types now constitute an important part of our personal and family histories, thus the ability to transfer them to another person is of vital importance for the transfer of family heritage from one generation to the next. The loss (or at least changing nature) of certain property rights within the digital economy impede the ability to transfer some copyrighted material to others, thus consumers need to be aware of this and create strategies to prevent their important digital legacies being lost through non-transferability. Companies within the digital economy also need to make consumers aware of their rights over materials such as music and eBooks as there are still many misunderstandings about them that originate in the normalised copyright relationships of the pre-digital economy. Companies also need to create new products to make the task of planning and managing digital heritage easier and there are positive steps emerging in that direction.

In previous generations only individuals with a public profile, such as politicians and leading entertainers, needed to be concerned about their posthumous media legacy. For celebrities a life in the public spotlight was a matter of record with key events, relationships and achievements recognised and documented for private and public purposes. For these individuals, a legacy of letters, papers, photos, films and other aspects of a prominently recorded life needed to be managed and curated for the historical record; perhaps to be donated to an institutional archive or given to family members for use in family histories and memoirs.

It is arguable that today this situation has been democratised, and in a sense, almost everyone is a celebrity in so much as ordinary people are routinely creating a digital record of everyday life and in the course of everyday life are assembling a media legacy of considerable personal volume and importance. This digital legacy will commonly include email accounts of work-related or personal emails, social network accounts on services such as Facebook and Linkedin, music accounts on services such as iTunes and Spotify, images on services such as Flickr or Picasa, videos on services such as YouTube, documents of many kinds on cloud storage services such as DropBox – some of which may be encrypted, and books and newspapers on services such as Kindle.

In this context, what happens to our ‘digital legacy’ upon our death, and how it may be passed from one generation to the next, has become an increasingly important question. Some aspects of our digital legacy may have a monetary value, such as online auction, gambling and financial accounts, and some aspects of our digital legacy are of personal value, such as videos, documents and photos. Digital technologies are increasingly utilised in daily life and are important records of a life lived, especially to friends and family who wish to remember us. Without considering the management of this digital legacy, there is a danger that it will become inaccessible and/or destroyed when a person dies. It is the responsibility of consumers to be proactive and manage their digital legacy, but digital services providers also have a responsibility to provide quality services, and locatable information and policies to assist in this process.

Methods

This study of digital legacy has drawn from a mixed-method approach that relied on three sources of information. The first was information provided by ‘key informants’, that is, semi-structured interviews with a number of individuals in various professions and industry sectors that have expert knowledge of the issues surrounding the management of digital legacies in the context of death. These professionals included spokespeople for various religious groups, senior executives of telecommunications companies, estate planning lawyers, moderators of online memorial sites, Internet service providers, and national and institutional archives. For ethical reasons, and because of some restrictions by their employers, the informants’ quotes remain anonymous in this report. The second source of information was the literature on death, memorialisation, and digital legacies, and our interview questions and subsequent responses were contextualised within this literature. The third source of information was the existing terms of service and policies of leading social media and telecommunication companies that provide services relevant to digital legacies and digital memorialisation.

Using this approach we were able to develop a generalised, conceptual understanding of the key considerations for bequeathing, memorialising, and preserving digital materials in the Australian context. Each digital media type, along with their associated industry and service provision, differ in terms of how they approach the death of a client and given this scope it is not possible here to provide a comprehensive view of the landscape. Nevertheless, some key and consistent issues emerge that primarily circulate around notions of ‘property’ and ‘privacy’. The issues associated with consumer rights in terms of ownership and transferral of digital files are emerging in debates in the US and EU, but have not yet matured in the Australian context. These debates have implications for the many issues associated with digital legacies and bequeathing digital materials.

Discussion

Property and privacy

There is a variety of different places where data may live and if someone passes away questions arise as to whose data it is (Chief Regulatory Officer, Major Australian Internet Service Provider).

The question of who owns what in digital environments is complex and is an important consideration in determining what may be bequeathed to others upon death. Digital property may include emails, photos, blogs, web-sites and URLs, electronic documents, music files, content uploaded to social media accounts and so on. Ownership of digital media and the conditions of posthumous access to it will usually depend upon the particularities of the Terms of Use Agreement that were entered into when the deceased signed up for an online service. Overarching contractual rights, intellectual property rights, and various forms of copyright law further complicate the situation. In addition, digital media may be held locally on a hard-disc or may be held remotely on a server, very often in another country and in another legal jurisdiction.

Conditions [terms of service] can change rapidly and often allow for retrospective re-writing of the conditions (Adjunct Professor of ICT, University of Melbourne).

So while there are well-established procedures for locating, valuing and transferring ownership of physical property such a real-estate, cars and books, the task of locating, accessing and disbursing digital assets after death is often more difficult. For example, many online services (i.e. Facebook, iTunes) have Terms of Service agreements that disallow the transferring of an individual’s account to another individual. The companies in question have agreed to provide a service to a named individual: the agreement, and the service provided, terminates upon that individual’s death. Many years of photos, videos, text files and other digital files and documents uploaded to an online service may be lost forever if posthumous access to them is not arranged and local copies are unavailable.

In physical items it is the physical item that embodies the licence and effectively the physical item is the licence, whilst in a digital transaction, the digital transaction defines the terms of the ownership, if any (Adjunct Professor of ICT, University of Melbourne).

A common-sense solution to this problem that appears to be emerging is for individuals to provide a list of services (Flickr, PayPal, Facebook, Dropbox, etc.), and to provide the relevant username and password for each service, along with instructions for friends, relatives and the Executor of the Will to execute upon a person’s death. Common-sense though this may be, it is often against the Terms of Service of many US service providers (Gmail, Hotmail) who prohibit the transfer a username and password to a third party, and forbid any individual from accessing another person’s account, deceased or not. Other online service providers (particularly Australian providers such as iiNet and Telstra) do allow this and consider an individual who has been given the username and password to be an authorised agent of the account’s owner. Of course, for all practical purposes, the identification of the person using the username and password cannot be verified.

I can bequeath any physical item under my control before I die, but with non-physical items we usually only have a licence to use so it may not be possible to bequeath (Adjunct Professor of ICT, University of Melbourne).

As with the issues of digital property rights determining what may or may not be done with digital files, privacy is also a key determinant in the Terms of Service policies that guide the use of social media and other software applications on the Internet. Much of the communication that occurs online is between one individual and another and is private in nature, thus Terms of Service policies are designed to protect the privacy of an individual, even in death.

Email is a good example of this privacy issue. Email is one of the oldest and still most common communication modes on the Internet and like paper letters, emails are usually context-specific, personal in nature, and not meant for broader public consumption. Email services such as the US­based Gmail and Hotmail are conscious of this and have strict rules that forbid access to the email associated with a deceased person’s account. Thus emails will be inaccessible and destroyed if provision for preservation has not been made for them before the death of the account holder. This being the case, if someone wishes to bequeath their emails they must take steps to archive and store the emails locally, rather than relying entirely upon the email service provider to make them posthumously available.

It is also good practice to keep private correspondence outside an employer’s email system and to use a separate email system for this type of communication. Work-related email systems will usually be subject to an employer’s own privacy and terms of use policies and employees may have little or no control over these. If work-related emails about specific projects or relationships wish to be kept, they may be downloaded and stored in the same context as other digital objects relating to the projects. This may be subject to legal constraints and taking particular care where property, such as trademarks and patents, are concerned is advisable.

Wills and digital registers

Although not well publicised, an emerging approach to managing digital legacies is the ‘digital register’. Passwords and account locations may be recorded in a digital register to accompany a last will and testament and agencies such as the State Trustees of Victoria do recommend this. A digital register contains the locations and passwords of online accounts so that the digital media and files that they hold may be given to friends and relatives. This register can be prepared by an individual, or can be prepared with the assistance of a legal specialist in wills and deceased estates. It is also possible within a digital register to request the closure of some or all online accounts upon death so that sensitive or irrelevant material is deleted. However, the ability to include a digital register within a will is generally not well-promoted by specialists in wills and deceased estates nor other institutions that manage the affairs of deceased persons. Although there is much information available online, such as templates and other guidance for creating a last will and testament, there is little in the way of guidance for the broader management of digital legacies. Thus it would appear much more educational work needs to be done in this regard.

We need to know who their next of kin is or who is the executor of their estate or what their instructions are for that data stored in their account (Chief Regulatory Officer, Major Australian Internet Service Provider).

In order to partly address this issue, this research leads us to the following recommended steps to create a digital register within a will:

Nominate a Digital ‘Executor’: A decision needs to be made about who is going to manage the digital assets upon the death of the individual concerned. This is usually the Executor of the Will. They should have the technical skills to locate and access accounts, to identify the files associated with these accounts, and to carry out instructions in respect of these files. Alternatively, a friend or family member may be nominated to assist in this regard. A digital register and associated instructions may be included as an appendix to a will, and like the will, should be kept in a safe place known to the executor. Commercial service providers (e.g. Security Safe or Legacy Locker) offer specialist services that will store important data and passwords that allow nominated individuals to access accounts and files in the event of death or disability.

List Locations and Access Methods: Details need to be provided on where to find digital property or assets, and clear instructions need to be given on how to access files and groups of files, and what to do with them upon death. It is important that information about locations, usernames and passwords are up-to-date and retained securely. Finding and gaining access to accounts after death can be extraordinary difficult, if not impossible, without this information. Enabling a digital legacy to be disbursed or deleted as appropriate also reduces the possibility of identity theft and the possibility of reputational damage and distress brought to friends and relatives should privacy be violated upon death.

Prepare Paperwork: If accounts are to be closed upon death, most companies require a formal process in which proof of death is provided (usually a death certificate or published obituary notice) by a person authorised to act on the deceased behalf (usually the Executor of the Will). They may also require proof that this person is authorised to act on the deceased’s behalf.

Given the current possibilities and limitations for bequeathing digital assets, our research suggests consumers consider the following when preparing instructions in a digital register:

Decide what should happen to the content of files stored on cloud services, messages stored in email accounts, images stored in photo sharing accounts and so on. There may well be many thousands of files in these accounts, and providing individual instructions for each may be impractical. Thoughtful categorisation of files into archives is a useful thing to do for everyday purposes and will also make the job of deletion or disbursement of a digital estate much easier and more effective.

Decide whether to periodically create local archives (back-ups) of online personal files. This is increasingly easy to do and most of the larger social media and software companies now

offer a download facility. However, once the data is downloaded and stored locally it is also important to consider its safety in terms of privacy. If stored on a removable hard-disk for example, consider password protecting or encrypting the disk and keeping it in a secure place, or giving a second copy to a trusted friend or relative for safe keeping.

Decide if an individual social media profile will be deleted or memorialised (see Online Memorials section below for further discussion). Or, alternatively, if a memorial site would like to be established as a legacy. If converting or creating a memorial profile it is important to consider what content will be on display, who will be able to view it, and who will be curating or moderating any posts made to the site.

Personal digital archives

Another emerging approach to managing digital legacies is what many leading archives, such as the US Library of Congress and the National Archives of Australia, refer to as ‘personal digital archives’. As previously noted, digital technologies have impacted upon many aspects of contemporary society and economy and organisations have responded to the challenges of the storage of this data and its re-use by building digital repositories at an institutional level, and even at a national and international level. However, personal data – the data relating to an individual’s life – has until recently been neglected in the debates and practices about archiving. So, for example, it is only in recent times that online companies have provided facilities to download personal data for local storage and safekeeping. Some services include:

Facebook allows individuals to download nearly all the information they have shared on their timeline including photos. There are also expanded options that allow individuals to view cookies, logins, logouts and many other ways of interacting with the site. See: https://www.facebook.com/help/131112897028467/

Also, Google’s take-out service is a welcome recent initiative which allows users to download and archive data from many of their Google services. See: https://www.google.com/takeout/

Downloading and archiving Gmail or Hotmail accounts is a little more difficult as it requires a local instance of a software application such as Thunderbird to download all the emails so that they can be read and stored locally. Once emails have been downloaded, it is possible to export them in different formats and in complete folders. The emails can be associated with a particular project or a particular family member or friend. Other emails that are either personal or irrelevant can be deleted.

Another consideration in terms of creating local archives is making sure that local copies are in a format that can be used at a later date and are in the best possible quality. There are a number of considerations here but generally it is important that the files saved are in popular formats that are in general use, such as JPEG or TIFF in term of images, or MP4 in terms of video. However if a MS Word document can be saved as a plain text file without losing too much of its structure, then it should be saved as a plain text file. There are many organisations involved in digital preservation that have published useful tip sheets on

In light of the fact that many of the practices and products associated with managing digital legacies are new and in flux, the digital archivists we contacted recommended that consumers be proactive and largely take responsibility for their own digital legacy. Consumers should periodically download and archive all digital files (photos, tweets, videos, documents etc.) and keep them locally on a portable hard-disk. Using this method it is possible to curate the storage disks in such a way that only the files that are wished to be included are available to the friends and relatives of the deceased. Sensitive or irrelevant information should not be included in the archive and may be deleted with the requested closure of online accounts upon death. Only the information on the curated storage disk will be available; perhaps for use in an online memorial or in a family archive.

The stuff we create is often just the record of what we do and how we live our life and was never meant to be published and there are ethical questions about who should see what upon our death (Associate Professor, Digital Archives, The University of Melbourne).

Once all the data is gathered in one place, it should be put into a simple folder structure. There are no strict rules here but generally the simpler and more straight-forward the better (such as ‘photos’, ‘music’, ‘emails’ or ‘Project X’). ‘Metadata’ or contextual information about the items should also be placed in the folder so others know what it is. This may be in the form of a simple text file that describes what is in the folder, where it was created and why, dates, and any other important information considered relevant for use in a family archive. Google’s Picasa photo sharing system has face recognition software to automatically name-tag all the individuals in family photos.

The digital archivists we contacted in the study also recommended considering issues of significance when consumers plan their digital heritage. Important events such as weddings, vacations, graduations, and other life achievements should be deliberated upon in the selection process.

If it is important to you, you need to have a copy outside of that (online) system because in the future it may fail (Associate Professor, Digital Archives, The University of Melbourne).

With all the data arranged in folders and in one place, it may be then placed on a removable storage disk. It is advised by archivists that storage devices such as DVDs, CD ROMS, and flash drives should not be used because they are fast-changing formats and may not be accessible in the future. Also, online cloud services and other digital repositories should be treated with caution as they also may not be around in the future. It is better to use two removable hard-disks, one to be kept in a safe location and one to be given to a trusted friend. In this way, if one of the disks is damaged, then there is a backup copy available. The disks must be updated regularly to make sure they contain relevant information, and also the actual disks should be replaced every 2-5 years.

If you want to pull the data out of a system like Google and Facebook it is better to keep it inthe standardised form in which it comes (in terms of file structures) as it will make moresense to people in the future, especially if new tools are developed to use it. Also describe

where the data came from and what date it was downloaded (Associate Professor, Digital Archives, The University of Melbourne).

Digital preservation is an active and ongoing process and it is important to intervene in the process and manage digital legacies over time. Another tried and trusted method is to print out important documents and images and store them in a filing cabinet as acid-free paper remains one of the most proven long-term preservation formats.

Although personal digital archives are a practical response to the management of digital legacies and are one of the more promising solutions to the preservation of digital files over time, they are also highly reliant upon consumers taking the initiative and responsibility for their own digital heritage and the number of people who are actually doing this or plan to do this in the future is not really know. In addition, how individuals will repurpose the digital artefacts of the deceased in the future is also not clear. There is an opportunity for an institutional or commercial response to this problem in the Australian context; to create archival cloud-based preservation services that can guarantee to store and repurpose digital artefacts in the long-term with appropriate access, sharing rights, metadata, and preservation formats to insure their survival.

Online Memorials

Apart from challenging issues associated with the preservation and bequeathing of digital artefacts, a related consideration for digital legacies are the possibilities enabled by the Internet for communicating news of a death or commemorating the life of the deceased. The death of a person can easily be announced or discovered through an online service such as Facebook, LinkedIn, or Twitter; whilst the life of a person can be commemorated through a growing range of online memorial services.

Online memorials are an extension to previous memorial services and for a small cost allow a broader public reach (General Manager, An Australian and New Zealand online memorial service).

The first dedicated online memorials appeared in the 1990s, were usually associated with funeral directors, and were primarily stand-alone web pages build by technical savvy individuals for their own family members or friends. A number of companies subsequently offered memorial services to individuals, again usually associated with funeral directors, but also as standalone systems that were not always tied into the funeral service (e.g. Much Loved, Heavenaddress.com, Onlinememorials.com.au, Legacy.com).

Online memorials are about how people cope once someone dies (Chair, An online memorial charitable Trust, UK).

In recent years, with the rise of social media, the trend to ‘memorialise’ personal profiles, particularly on Facebook, has emerged. Facebook was designed to support social connections between the living, yet the popularity of the site over its 10 year history has led to an accompanying growth in the numbers of deceased users – currently estimated at 30 million (Kaleem, 2012). The initially unforeseen issue of what to do with the profiles of the dead has evolved over time and continues to redefine the operation and use of Facebook. The shift in Facebook policy from

deactivating deceased accounts to placing them in a ‘memorialised state’ occurred in relation to a number of significant events and user responses, including the death of a Facebook employee in 2005, the Virginia Tech massacre in 2007, and the introduction of functions that generated suggestions to ‘reconnect’ with friends (including dead ones) in 2009 (Fletcher, 2009; Kelly, 2009).

At the time of writing this report, Facebook was the only high-profile social media company to seriously articulate policies and provide services for ‘memorialisation’ of user profiles, partly because of the size, nature, and public profile of the company. This policy and service could be considered industry best-practice and as with Google’s ‘Interactive Account Manager’, it is hoped that other companies provide similar services to sensitively manage processes associated with the death of their users.

There are two options for the management of Facebook accounts after someone dies (with the appropriate evidence supplied by relatives or friends). A profile can be deleted entirely or it can be converted to ‘memorial status’. Consideration needs to be given as to which of these alternatives is appropriate and instructions perhaps provided before death as part of a digital register (there is no facility on Facebook to provide these instructions before death). (See: https://www.facebook.com/help/)

There are issues about who takes over a site, such as a Facebook profile of someone who

dies, and this is not an easy decision (Chair, An online memorial charitable Trust (UK)).

Family conflict, based around second marriage and children from various marriages may cause conflict if the site is not moderated carefully (General Manager, An Australian and New Zealand online memorial service).

If the profile remains active in memorial status, it may be used by friends as a place to gather and reminisce, and as an ongoing reminder of the life that was lived. Indeed, many people cannot bear the thought of closing down the page of a loved one, particularly where social networking was important to the relationship.

Be aware, however, that online memorials open to the public may become a target for online vandalism – such as so-called R.I.P trolling – some of which can be very hurtful, whilst memorials with appropriate privacy settings may become a site for family disputes to be played out. This means that moderation (that is, editorial control) of comments on the site is required to ensure the appropriate tone and content is used, and someone should be delegated to perform this task (again, perhaps noted within a digital register). In the case of commercial online memorial services, moderation is usually done in-house by the service-provider.

Sometimes people don’t have someone to talk to and online memorials are a way of communicating with others. But some online memorials are used to vent family issues so moderation is important (General Manager, Australian online memorial company).

When a Facebook account is in ‘memorial status’ new friends are unable to connect and automated
prompts and reminders relating to the profile will cease. The memorial site remains available atFacebook’s discretion, and there is no guarantee that the memorialised profile will be available

indefinitely into the future. This is why personal digital archives are important and local copies of photos, videos or other data should be stored safely on a removable disk.

Despite the growth in Facebook memorials and other online memorials, their use is still fairly new and evolving and is not yet normalised in the same way as traditional memorial practices. As a result, online memorialisation has been subject to public debate and controversies around issues such as appropriate conduct and interaction and responsibility for administration and moderation (e.g. Kohn et al., 2012). Again, managing a digital legacy means that due consideration to all of these issues needs to take place before death.

…technology must not take over the character of the (funeral) occasion and this is not a problem of the technology, but how is how it is applied. Place, community, and embodied relationships shouldn’t be discounted by the abstract, disconnected nature of the online memorial (Senior representative, Church of England, Melbourne).

There has been a substantial shift in funeral services towards the celebration of one’s life away from fear and judgement. More symbols of one’s life are used in a service; photographs, videos etc. and at least half or more funerals have an audio /visual aspect to them now (Catholic Priest, Melbourne).

As previously noted, the online memorial services that commercial companies provide typically may form part of a funeral package or may be offered as a separate service. The providers of these online services may be located in Australia or any other country. From our discussions with individuals within the online memorial industry we discovered that typically, the sorts of features that are offered include:

Profile page of the deceased person

Photo and video publication

Obituary publication

Comments; usually open to the public but moderated by the service provider

QR code (or advanced barcode) that can be placed on publications or even the gravestone of the deceased that allows individuals to easily find the memorial page

The ability to interact with the memorial page through such activities as lighting a virtual candle or watering a virtual tree

Donation to a charity, such as one associated with the cause of death of the deceased, or one they played a part in whilst alive

Online communities, such as the Australian Defence Force, which honour the memory of individuals who died in conflicts. These communities may be moderated by a representative from this community

Promotion of the memorial profile through such features as share-buttons for Facebook, Twitter, or other social software sites

Hosting of the memorial site in perpetuity for a once-off initial fee

There are a number of considerations for consumers when deciding upon an appropriate online memorial service, one of which is the sustainability of the memorial profile itself. Although many services may claim that they will host the memorial page ‘forever’, this is very unlikely in practice. Technical factors may well limit the life of the site as web-serving technologies are fast evolving and

neither hardware nor software have a useful life extending to decades. Companies must be trusted to continually migrate the content of memorial sites to contemporary software and hardware platforms – which can be a costly business. For a memorial to be guaranteed into perpetuity, it requires the guarantor to survive into perpetuity, and already a number of online memorial companies have gone out of business. Consumers should check the health of the company through assessing how many memorial pages are hosted and check that protocols are in place to migrate sites to new technologies when required. As always, it is good practice to keep local copies of text, images and other media types that are submitted to a memorial (or any other site) within a personal digital archive so that they may be bequeathed to others family members or friends.

We have a 10 year end point on our memorials because we thought this was ample time for bereavement but at the end of ten years people can keep it if they want (Chair, An online memorial charitable Trust (UK)).

Issues in Bequeathing Key Digital Media Types

In this section of the report we describe some of the common media types used by consumers and the challenges relating to them in terms of bequeathing them to others. There are many limitations to the bequeathment of digital media to others and, as previously noted these limitations are associated with some defining issues of the digital economy: property and privacy. There are, perhaps predictably, numerous misconceptions circulating in the popular press, perhaps originating in the pre-digital era, about the assumed property rights that consumers have over digital media, especially music and ‘the right of first sale’ (i.e. to give or sell copyrighted material to someone else) (e.g. Bradgate, 2010). But the general rule is that unless the music was written by the individual consumer, then it is not owned by the consumer and again if there is no physical copy, then there is no ‘right of first sale’ (nor bequeathing to others). This general rule may be applied to other media types as well, although with some media types (or communication mechanisms) it is not issues of property that are key, but issues of the protection of individual privacy.

In the following we list some of the important issues in key media types as they relate to death, bequeathing and privacy. This is by no means an exhaustive list; nor are the issues we flag stable or resolved. The digital economy is contested and in flux and many of the processes that deal with digital media in the context of death do not have a developed legal framework, business processes, or social norms to guide practice. From our research into the terms of service of the key players associated with each media type, coupled with discussions with the key informants who contributed to the study, we outline the issues relating to the bequeathment of key digital media types.

Music

Digital music is often licensed for individual use and thus cannot be bequeathed upon the death of an individual (i.e. iTunes, Spotify). The copyright of the digital music is held by the person who created the music and the licence allows consumers to listen to the music. Companies such as Apple have complex consumer software licences that once clicked are binding, and certain legal rights are given away (as when a document is signed). In effect, when using a service such as iTunes the individual is entering a contract with Apple and the contract, or ‘Terms of Agreement’, outlines what can and cannot be done with a digital file. The licences are in place to protect the producers of the music, who give it to Apple under the provision that Apple will protect their interests, as well as the interests of the consumers.

It is important to note that under Apple’s Terms of Agreement Apple will not replace digital files and files can only be downloaded once, thus any transfer of files is potentially illegal under US copyright law. If a file is lost, Apple will not replace it, thus personal backups are important. Indeed, when an item is ‘purchased’ from iTunes, it is not actually ‘owned’ by the individual who purchased it. The individual is paying for a licence to listen to the music, not to own its content, as the content is owned by the artist, or company, who owns the copyright.

Other companies have different consumer software licences that vary according to what can be
done with a digital file (such as Creative Commons licences). It may be the case that a digital audio

file is in the public domain and thus has few or no intellectual property rights upon it. This means, in effect, that the music can be used by the public in certain ways, but cannot be owned by an individual and thus cannot be bequeathed in a will.

Images

Copyright of a photograph is owned by the individual who took the photograph, unless the rights are specifically given to another. Uploading a photo to the web doesn’t change this and copyright is retained by the photographer. Thus photos can be bequeathed to another person in a will and many professional photographers, who earn a living from their photos, do this as a matter of course.

In the case of popular services such as Flickr, users may choose an All Rights Reserved licence for their uploaded photos, or a Creative Commons licence. A Creative Commons licence is a series of licences that limits what users may and may not do with photos, such as reusing them for commercial purposes or using them without attribution.

In the case of other popular systems for publishing photos, such as Facebook, the copyright is still owned by the photographer. The Terms of Service grant Facebook the right to reuse your photographs in certain features of the system, but this is primarily determined by the user’s privacy settings. Other systems may have differing copyright provisions and it is always prudent to check the Terms of Service before uploading images to a particular service.

In many communities around the world, photos have come to play a significant part in the documentation of family history, and considering how they will be maintained and bequeathed is important. Although online systems are convenient places to share photos, they are often published in a compressed and low-quality format. It is best practice to retain copies, in the best quality possible, along with the important information about where they were taken, dates, and people in the photo. Many digital cameras allow ‘metadata’ (descriptions about the photo), to be written into the file, or this can be done once the file is transferred to a computer.

When an Aboriginal person dies, it is a major event and people will travel from all over the region to attend. If someone cannot attend, then they will send a fax to apologise. The funeral is a very social event and at the event a Memorial Booklet of their life story is often produced. The Memorial booklet may contain several pictures of the deceased and this is one way in which the practice of forbidding the public display of images of deceased Aboriginal people is changing. Another way is that family members may keep one or more photos of the deceased for viewing privately, but the main issue is most remote aboriginal groups do not allow the photographic representation of Aboriginals who are deceased, but this may differ from region to region (General Manager, Indigenous association in remote Australia).

Video

As with photos, the copyright of videos uploaded to popular systems such as YouTube is usually owned by the person who recorded the video, so videos may be bequeathed. However, once uploaded many of the exclusive rights that the individual has over the video are granted to YouTube (as outlined in the Terms of Service). YouTube may, for example, republish your videos in other parts

of the YouTube system, and use your videos to raise revenue through adding banner advertisements to them. However, the licence that YouTube has to use your videos is terminated once the videos are deleted from the service. YouTube’s Community Guidelines and Terms of Service give further guidance on this topic.

Along with photos, videos now form an important part of family history so it is important to consider their long term maintenance. As with photos, it is best practice to keep the best possible copies of the digital files in a local folder using popular formats such as MP4, ensuring that additional contextual information accompanies the videos to enable future generations to appreciate their content.

eBooks

As with digital music, eBook files are usually licensed for individual use and cannot be bequeathed. The terms of service give you the right to use the file, that is, read the book, but you do not own the file: your right to read may expire on a certain date, and the file can often only be read with proprietary combinations of hardware and software, such as Kindle. In some cases your licence may be extended to friends or family, but the ownership of the file still remains with the e-publisher. An important exception to this are books that are out of copyright and have been digitised and made available under a Creative Commons licence by organisations such as Project Gutenberg and Google Books. These copies may be bequeathed as in effect they are not owned by anyone.

There are many advantages to eBooks, but bequeathing is not one of them. If an individual is concerned about the inter-generational longevity of their library, it is best to buy physical copies of the book in the first instance, and not the eBook version. The physical copy can then be bequeathed in a straightforward fashion. Books are an important component of intellectual development and again form an important component of family history. The seminal and important books that one reads and wishes to pass to others should be in physical form.

Email

Email is one of the more problematic communications applications on the Internet in terms of privacy, bequeathing, copyright, ownership, and archiving. It is also one of the oldest and most popular uses of the Internet with many personal archives dating more than 20 years. It is seen by many as a more mature person’s medium as younger generations have in large part moved to social media for communications. It is also more likely to be used for professional as well as personal purposes. In terms of archiving, many large organisations will store emails for a defined period of time. But there are no certainties of this, and emails will usually not be stored indefinitely.

There are many issues in the preservation of emails in large companies and many of them are technical (Associate Professor, Digital Archives, The University of Melbourne).

An important fact to consider is the distinction between emails that are sent for professional purposes and emails that are sent for private correspondence. Many organisations have policy recommendations that advise under what conditions, if any, company email may be used for private purposes, and some organisations require that personal communication not take place on company

email systems. Even where this is not the case, individuals who want their personal emails to remain private will usually maintain a private email account (on say Gmail or Hotmail) in addition to their company email account. Privacy concerns arise because many companies will monitor all emails on their email systems to check compliance with broader company policies.

Thus there are a number of things to consider when bequeathing email. Email may well be personal correspondence intended for the recipient only, and one may wish to think carefully about archiving this correspondence, and if archived, to whom it is to be bequeathed. Personal correspondence between siblings, partners and friends may well constitute a valuable archive to pass to loved ones but some email should be considered private, even in the context of death.

There may be mechanisms in place for intergenerational transfer of materials but there also needs to be a respect for the record and the personal stories that they represent (Associate Professor, Digital Archives, The University of Melbourne).

Organising personal and professional correspondence in a thoughtful way is necessary if it is to be effectively archived and bequeathed (and again the responsibility here falls upon the individual). Most locally installed email clients enable emails to be stored in nested folders, and the structure of these folders should clearly separate out different categories that represent the context in which the emails were produced and lay out a coherent history of correspondence. In this way the archived email will be comprehensible in the future not just to the author, but to the beneficiary.

Email needs to be separated between a business environment and a personal environment. The data in an email account usually belongs to the account holder but in a business there is an argument that the email belongs to the company and it may be very difficult to gain access to company email if someone has left that company (Chief Regulatory Officer, Major Australian Internet Service Provider).

If individuals want their emails to be readable for decades or more, they should be saved in an archival format, such as plain text, rather than the email program’s proprietary format. All proprietary formats are subject to rapid obsolescence.

Mobile accounts and texts

The procedure for dealing with mobile phones and the SMS texts and data that they contain differs between service providers but in general the larger service providers have established policies to deal with the death of a client (Optus, Telstra). Procedures usually require the next of kin to contact the service provider on their customer support line and notify them of the death. The next of kin or authorised representative must provide the appropriate evidence of death, such as a funeral notice, a death certificate, or a statutory declaration confirming authority to act on behalf of the deceased. The next of kin or authorised representative is then required to complete and submit a form outlining what is to happen to the particular accounts.

There are usually two options for dealing with a deceased person’s account; the account may be closed, final bills paid and all data (text messages, favourites, contacts, recent calls etc) is then deleted. However, accounts may also be transferrable to the next of kin by the authorised representative so that the service is continued. This means that the same mobile phone number is

retained and call records, text messages and so on may also remain available. Text messages are usually stored on the phone, so if the next of kin has access to the phone and the phone password, they will also be able to access the texts.

Telecommunications providers do not provide a service for a client to request that their phone account be deleted upon their death, which does raise some privacy concerns. However, even if this was the case, there is still the possibility that the next of kin and authorised representative can have access to the phone handset itself, and if unlocked, will be able to access texts, recent calls, contacts and so on, regardless of the telecommunication company’s policies.

Telstra doesn’t require a death certificate but the customer must have the appropriate authority such as Executor or be the Next of Kin. The account can be either closed or transferred to another individual after filling in a form or through ‘voice signature’. A password holder is an authorised user and can change details on an account and it is transferable (Senior Executive, Major Australian Telecommunications Service Provider).

Web sites and domain names

Web sites and domain names may be bequeathed to another person with instructions given in a will and accompanying digital register. The regulator of domain names in Australia, auDA, has a policy for transferring ownership of domain names to a deceased person’s estate that applies to the particular registrar with which the domain is located (such as Melbourne IT or Netregistry). In the event of an individual’s death, the domain registrar should be contacted and appropriate evidence of death supplied. It is then a matter of transferring the domain name and the account associated with it to another person (there may be a fee for this service).

Another important consideration here is that the domain registrar and the web site host may be two different companies. If this is the case, the web site host will also need to be contacted and again, appropriate evidence supplied. Access to the web site files can be granted to next of kin or nominated person and the account’s name and files transferred to the nominated person.

Future Implications

Given the size of the digital economy and the plethora of services and products now available to the public it is difficult to prescribe a simple fix to the fact that inevitably users of these services will die. However, this is not to say that developers of software products and services could not do more to consider the issues that will only become much more acute in the future. There have been many promising responses to digital inheritance and memorialisation, with products such as Google’s Inactive Account Manager recently becoming available and other services such as Facebook, YouTube, and Twitter providing first-rate facilities for users to download and store data locally. It is uncertain if individuals are actually using these services and taking proactive responsibility to store their important digital items locally or consider the privacy implication of their data in the context of death. More research needs to be done in this regard before, as a society, we come to realise that a great deal of our collective, family and personal histories that have migrated to the Internet have become lost or inaccessible

Some pending issues include:

Many online systems and service providers do not have procedures in place to cater for the death of a user. The ability to designate an inheritor of personal data files or to request their deletion, according to the user’s preferences is missing in many systems and services. Google appears to be one of the only innovators in this regard (through its Inactive Account Manager). The lack of these services creates privacy concerns for the deceased and unnecessary complications for the next of kin.

There are significant internal inconsistencies and recourse to ad-hoc arrangements in how some companies deal with the death of a client, especially relating to personal data.

A lack of clear or consistent options from service providers means that individuals need to take responsibility for their digital assets. Most importantly, this includes creating and maintaining a local archive of important digital assets, making decisions in regard to the disbursement of them, and leaving clear and accessible instructions to enable them to be accessed, deleted or disbursed as appropriate.

The importance of creating personal digital archives is not well-established in the popular imagination and the products and services available to facilitate this are inadequate. Digital service providers could offer much more leadership in this respect. There are also neither established mechanisms nor customs for re-repurposing the digital artefacts of the deceased. Best practices such as personal digital archives are still evolving, and must be assembled from multiple sources.

Protocols and practices for bequeathing digital assets alongside material and financial assets in the context of a legal will and ‘digital register’ needs to be further developed by relevant agencies. Concepts of digital property and the rights consumers have over digital files are not always clear and consumers need be aware of what can and cannot be bequeathed.

The governance of memorial sites is generally a shared responsibility undertaken by the proprietors of the online memorial sites and the friends and family of the deceased. There is potential for vandalism and for conflict on these sites and they need to be carefully managed.

If legal cases in the EU and law reform debates in Australia (Copyright and the Digital Economy, Australian Law Reform Commission, Issues Paper, 29 June, 2012) alter notions of the right of first sale to extend to digital products such as software, eBooks, and music this will have significant implications for bequeathing some digital products (see Further Reading).

Further Reading

The literature on, and implications for, digital legacies is broad, covering many fields and disciplines of research. There has been growing interest within the archival, library studies and digital humanities communities about the issues that surround the preservation of personal data and the creation of ‘personal digital archives’, but few studies focus specifically on death and bequeathing data and digital files (except for the work of Carroll and Romano, 2011).

The larger body of work on online memorials has largely been positioned within a research approach that considers the psychology and sociology of grief and support and this connects with a wider literature in the social sciences that examines death, grieving and memorialisation (e.g. Aries 1983; Hockey, Komaromy and Woodthorpe 2010; Kellehear 2007; Robben 2004).

Studies of online memorialisation have looked at the use of online sites for things such as sharing of grieving, remembering, commemorating and providing social support (e.g. Jones 2004; Roberts and Vidal 2000; Sofka 1997; Veale, 2003, de Veries and Rutherford, 2004). More recently, following the popularisation of social networking sites, attention has turned to social networks with particular focus on the practices of teenagers (Carroll and Landry, 2010; Williams and Merten, 2009). Computer interaction and interface designers have also become increasingly interested in addressing the many design challenges presented by the development of online memorial practices (Brubaker and Hayes 2011; Gibbs et al. 2012; Mori et al. 2012; Odom et al. 2010).

There are also a number of reports that discuss, broadly, consumer rights in the digital economy, such as the Robert Bradgate’s Consumer Rights in Digital Products report prepared for the UK Department of Business Innovation and Skills (2010). Bradgate discusses the issues of tangible and intangible goods and the contractual rights that are lost or transmuted in digital products, which has numerous implications for bequeathing digital products. The main contention in legal debates in this area appears to be the ‘right of first sale’ (or ‘exhaustion of rights’): the rights that are lost when a copyrighted material is sold in digital form and not physical form. It is legal to sell a copyrighted copy of a CD or book, but illegal to sell the same version that is in digital form because the licencing arrangements when it was ‘purchased’ (or loaned) are different. The ‘first-sale’ doctrine is limited to physical items and there are contrasting and still unresolved approaches between certain courts in the EU and the US on the sale (and transfer) of second-hand digital assets. Legal cases include Capitol Records LLC v ReDigi Inc, in the USA, where a US district court in New York ruled that ReDigi, the operator of an online marketplace for second-hand music downloads, is liable for copyright infringement. In the EU, the Court of Justice in the European Union is taking a divergent approach in terms of allowing the right of first sale for software (UsedSoft v Oracle, C128/11).

In Australia, the Australian Law Reform Commission (ALRC) is currently reviewing the Copyright Act 1968 to consider whether existing exceptions in the act are adequate and appropriate in a digital environment. In a submission to the ALRC’s Issues Paper, Copyright and the Digital Economy Issues Paper (IP 42), the Digital Policy Group of The Australian Interactive Media Industry Association (AIMIA) – which counts eBay, Facebook, Google and Yahoo!7, among its members – proposed that:

~the ALRC introduce an exhaustion of rights doctrine in Australia in order to facilitate secondary markets for software, digital works and subject matter other than works and product that embody software material. The ability of a copyright owner to restrict the transfer of copyright interests as currently permitted under Australian law is a restriction on the ability of an individual or small business to legitimately trade in items of value (p20).

If the Australian Copyright Act and in particular, the right of first sale doctrine is altered to accommodate digital products, this will have repercussions for bequeathing digital products, particularly eBooks and music. This review was in progress at the time of writing this report.

Authors

Dr Craig Bellamy is a Research Fellow in the Department of Computing and Information Systems at the University of Melbourne. His work primarily focusses on the intersection of computing and the humanities, especially in terms of the application of new computing research methods to assist in the research process. He is founding Secretary of the Australasian Association for Digital Humanities and has worked in the field at King’s College London and the University of Virginia in the USA. He serves on a number of Digital Humanities program committees for major conferences and the editorial boards of key journals in the field.

Dr Michael Arnold is a Senior Lecturer in the History and Philosophy of Science programme at the University of Melbourne where he teaches and writes about a variety of subjects relating to digital technologies in the social context. Michael has been a Visiting Scholar at the Centre for Applied Research in Educational Technology at Cambridge University UK, a founding committee member of the Community Informatics Research Network, and a Research Associate with the Australian Centre for Science and Innovation and Society.

Dr Martin Gibbs is a Senior Lecturer in the Department of Computing and Information Systems at the University of Melbourne. He is a member of the university’s Interaction Design Lab. His expertise lies in the intersection between the disciplines of Science, Technology Studies (STS) and Human­Computer Interaction (HCI). His research contributes to the critical understanding of the social dynamics of using technology by small cohorts of people in non-work settings. He is also the co­editor of a collected work focusing on ICTs and civic engagement, From Social Butterfly to Engaged Citizen, published by MIT Press in 2011.

Dr Bjorn Nansen is a Research Fellow in the Department of Computing and Information Systems at the University of Melbourne. He researches the adoption and use of digital media and communications technologies in the contexts of households, families and everyday life. His most recent work has featured in New Media & Society, Journal of Children and Media, Environment and Planning D and the Telecommunications Journal of Australia. He recently received an ARC early career researcher award to study children’s domestic use of interactive media and natural interfaces.

Dr Tamara Kohn is a Senior Lecturer in Anthropology at the University of Melbourne. Her research and teaching interests include the anthropologies of the body, leisured practice, and the senses; mobility and identity; personhood, memorialisation and death; and methods and ethics in ethnography. She publishes widely in these areas, drawing on her extensive fieldwork experiences in the UK, Nepal, and Japan. She is currently working on an ARC funded project on ‘Sonic Practice in Japan: sound in everyday life’, as well as researching online memorialisation, with a particular interest in the way in which identities are expressed and enacted through these practices.

Trademarks

iTunes, is the registered trademarks of Apple Inc.

Gmail, YouTube, Picasa, are the registered trademarks of Google Inc.

Facebook and Instagram are the registered trademark of Facebook Inc.

Flickr, is the registered trademark of Yahoo Inc.

Dropbox is the registered trademark of Dropbox Inc.

LinkedIn is the registered trademark of LinkedIn Corporation

Spotify is the registered trademark of Spotify Australia Pty Ltd (or local country of residence)

Kellehear, A. (2007) A Social History of Dying, Cambridge University Press.

Mori, J., Gibbs, M., Arnold, M., Nansen, B. and Kohn, T. (2012) Design Considerations for After Death: Comparing the Affordances of Three Online Platforms. In Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group (OZCHI’12). ACM Press, New York, USA.